CVE-2021-26291Origin Validation Error in Apache Maven

CWE-346Origin Validation ErrorCWE-200Sensitive Information Exposure12 documents9 sources
Severity
9.1CRITICALNVD
EPSS
46.1%
top 2.35%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Jenkins MavenApache MavenQuarkus+3 more
Timeline
PublishedApr 23
Latest updateJan 16

Description

Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repositor

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages6 packages

NVDapache/maven< 3.8.1
CVEListV5apache_software_foundation/apache_mavenApache Maven3.8.1
Debianjenkins/maven< 3.8.6-1+2
NVDquarkus/quarkus< 1.13.5

Patches

Patch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
GHSA
Origin Validation Error in Apache Maven2021-06-16
OSV
Origin Validation Error in Apache Maven2021-06-16
OSV
CVE-2021-26291: Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting i2021-04-23
CVEList
block repositories using http by default2021-04-23

📋Vendor Advisories

7
Ubuntu
Apache Maven vulnerability2023-01-16
Ubuntu
Apache Maven vulnerability2022-08-18
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Centralized Third Party Jars (Apache Maven) — CVE-2021-262912022-07-15
Oracle
Oracle Oracle GoldenGate Risk Matrix: General (Apache Maven) — CVE-2021-262912022-04-15
Red Hat
maven: Block repositories using http by default2021-04-23
CVE-2021-26291 — Origin Validation Error in Apache | cvebase